Enforcement System Functions

Use the enforcement functions to mitigate an incident or contain a threat, such as malware, on a remote Microsoft Windows system. You can trigger actions that execute these functions directly from an event Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall. or alarm Alarms provide notification of an event or sequence of events that require attention or investigation., and easily create a rule to execute the function for similar events or alarms that occur in the future. You can also create a scheduled job to execute one or more functions for a specific asset, such as performing a system restart at the same time each day.

Important: These functions are supported only for Windows hosts in your USM Anywhere asset inventory.

Target assets must have assigned credentials that are suitable for system-level access to the host. See Configuring the BlueApp for LevelBlue Forensics and Response for more information.

Use this function to set or update a registry key to a standard string (REG_SZ) value on a Windows target system.

You can run this function using the Set Registry Key to String action from the BlueApp for LevelBlue Forensics and Response page or as an action from an orchestration rule. Set the parameters according to the registry key and value.

Path: Enter the path for the registry key. For example, HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion.

Name: Enter the name of the registry key. For example, MyKey.

Value: Enter the new value for the key as a standard string format. For example, New-Key-Value.

Use this function to set or update a registry key to a 32-bit integer string (REG_DWORD) value on a Windows target system.

You can run this function using the Set Registry Key to DWORD action from the BlueApp for LevelBlue Forensics and Response page or as an action from an orchestration rule. Set the parameters according to the registry key and value.

Path: Enter the path for the registry key. For example, HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion.

Name: Enter the name of the registry key. For example, MyVersionKey.

Value: Enter the new value for the key as a standard string format. For example, 108.

Use this function to disable all the network interfaces on a Windows target system. This is typically executed to isolate a system that has been compromised or is infected with malware Generic term for a number of different types of malicious code including viruses, worms, and Trojans..

You can run this function using the Disable Networking action from the BlueApp for LevelBlue Forensics and Response page, from the Alarm or Event details, or as an action from an orchestration rule or scheduled job. You specify the asset for the function and no parameters are required.

Use this function to shut down a Windows target system. This is a typical response action in situations where a system is compromised and must be shut down in order to stop further damage.

You can run this function using the Shutdown action from the BlueApp for LevelBlue Forensics and Response page, from the Alarm or Event details, or as an action from an orchestration rule or scheduled job. You specify the asset for the function and no parameters are required.

Use this function to stop a process on a Windows target system using the process identification (ID). This function returns information about the terminated process and USM Anywhere displays this as an event.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter stopProcess as the value.

First Optional Parameter: Enter the name for the process to be stopped. For example, TermService. If needed, you can determine this value by executing a Get Processes function.

Use this function to disable a local user account on a Windows target system.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter disableLocalUser as the value.

First Optional Parameter: Enter the name of the user account to be disabled. For example, TempUser. If needed, you can determine this value by executing a Get Users function.

Use this function to disable an Active Directory Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. user account on a Windows target system that is configured as an AD domain controller.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter disableADUser as the value.

First Optional Parameter: Enter the name of the AD user account to be disabled. For example, TempUser. If needed, you can determine this value by executing a Get AD Users function.

Use this function to stop a service on the target system using the service name and retrieve information about stopped service.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter stopService as the value.

First Optional Parameter: Enter the name of the service to be stopped. If needed, you can determine this value by executing a Get Running Services data collection function.

Use this function to restart a service on the target system using the service name.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter restartService as the value.

First Optional Parameter: Enter the name of the service to be stopped. If needed, you can determine this value by executing a Get Running Services data collection function.

Use this function to send messages to a user connected to the target system.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter sendMessage as the value.

First Optional Parameter: Enter the username account. A value of * sends a message to all connected users.

Second Optional Parameter: Enter the message text.

Use this function to create a new rule in the Windows firewall to block outbound connections to a specified address. This is useful to block a command and control when a system has been compromised.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter blockRemoteAddressOutbound as the value.

First Optional Parameter: Enter the remote IP address to be blocked.

Use this function to create a new rule in the Windows firewall to block inbound connections from a specified address. This is useful to block the source of an attacker that is launching a brute force Technique or attack method, typically used with authentication, involving an exhaustive procedure that tries all possibilities (for example, to find a valid password), one-by-one., denial of service (DoS), or other attack.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter blockRemoteAddressInbound as the value.

First Optional Parameter: Enter the remote IP address to be blocked.

Use this function to create a new rule in the Windows firewall to block inbound connections to a specific port.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter blockInboundPort as the value.

First Optional Parameter: Enter the port number to be blocked.

Use this function to restart the target system.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter restart as the value.

Use this function to shut down the target system.

You can run this function using the Shutdown action from the BlueApp for LevelBlue Forensics and Response page, from the Alarm or Event details, or as an action from an orchestration rule or scheduled job. You specify the asset for the function and no parameters are required.

Use this function to restore the target system to the specified restore point.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter restore as the value.

First Optional Parameter: Enter the ID for the restore point. If needed, you can determine this value by executing a Get Restore Points data collection function.

Use this function to enable a Windows EventLog channel on the target system.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter enableLogChannel as the value.

Use this function to disable a Windows EventLog channel on the target system.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter disableLogChannel as the value.

Use this function to launch a Windows Defender scan on the target system.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter launchWindowsDefenderScan as the value.

First Optional Parameter: Enter the scan type. This value can be QuickScan, FullScan, or CustomScan.

Second Optional Parameter: If you specify the CustomScan type, enter the path to scan (for example, C:\Directory).

Use this function to update the Windows Defender signatures on the target system from the Microsoft update server.

You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

Query: Enter updateWindowsDefenderSignatures as the value.